TL;DR:
If a “new client” asks you to click Google Drive links, complete a Google authorization, and then send back login credentials, stop. It’s likely a phishing scam designed to hijack your Google account. Trust your instincts and don’t click.
_______________________
We want to share a recent experience to help other business owners, consultants, and agencies avoid a scam that’s becoming increasingly common and increasingly convincing.
Westvyne was recently contacted by someone claiming to represent a nonprofit organization looking for website improvements. The emails appeared legitimate. There was a real website, a list of tasks in a Google Doc, and an explanation about issues with a previous marketing team. At first glance, everything felt fairly normal. We requested a Zoom or Teams meeting to discuss, but since we didn’t hear back, we figured they had found another provider.
They reached out again a few days later saying that they wanted to proceed. We were sent another Google Drive link and was then asked to click a file, complete a Google authorization process, and send back newly generated login credentials so they could “grant us full access.”
We did not click the final Google Drive link or complete the authorization because the request didn’t align with any secure or standard onboarding process. After taking a closer look, it became clear this was a phishing attempt designed to gain access to Google accounts.
That was the point where we stopped and called the organization they allegedly represented. The organization confirmed that this was a scam.
This scam works because it looks and sounds legitimate. It uses real-looking organizations and websites (in this case, an actual organization that was unaware of what was happening), mimics normal project onboarding language, relies on Google Drive which many teams trust by default, and creates urgency by claiming a broken system or workflow disruption. Once a malicious Google authorization is completed, attackers may gain access to email, Drive files, contacts, and other connected tools.
There are several red flags to watch for. Requests to complete a Google authorization and send back credentials are a major warning sign. Pressure to click Drive links before a signed agreement or verified onboarding should also raise concern. Be cautious of Gmail addresses posing as official organizational contacts, reluctance to schedule a live call or Zoom meeting, and vague references to “previous teams” or broken internal systems.
To protect your business, never share usernames, passwords, or authorization tokens via email. Verify new clients with live calls and domain-based email addresses. Regularly review app permissions in your Google account. Most importantly, trust your gut. If something feels off, it usually is.
We’re sharing this because scams like this are getting smarter and more targeted, especially toward service providers and agencies. If this post helps even one business avoid a compromised account, it’s worth sharing.
Stay safe,
Westvyne